Commentaires 0

Retranscription du document

Report of theDefense Science Board Task ForceonDefense Biometrics

March 2007

Office of the Under Secretary of DefenseFor Acquisition, Technology, and LogisticsWashington, D.C. 20301-3140

This report is a product of the Defense Science Board (DSB). The DSB is a Federal AdvisoryCommittee established to provide independent advice to the Secretary of Defense. Statements,opinions, conclusions, and recommendations in this report do not necessarily represent theofficial position of the Department of Defense.

The DSB Task Force on Defense Biometrics completed its information gathering in September2006. This report is UNCLASSIFIED and releasable to the public.

Executive SummaryA Defense Science Board Task Force was organized to address a number of issues relating to theuse of Biometrics in the Department of Defense. The Terms of Reference (Appendix A) askedthat specific organizational issues be addressed promptly and the Task Force provided an interimbriefing that focused on these issues.While the terms of reference refer to “biometrics,” the Task Force is convinced that “identitymanagement” is the more inclusive and the more useful construct. The Task Force holds twocompanion theses. First, while we can come up with an endless set of scenarios in whichbiometrics might be called upon to play a role, with analysis and a little abstraction withoutlosing the essence, the endless array of scenarios can be reduced to a compact set of “use cases”.This compact set of use cases will help us appreciate our companion thesis, that a common “backoffice” process (and associated “data model”) can be envisioned to service all the biometric, andthus Identity Management, use cases.That said, we clearly did not have either the time or the resources to study Identity Management(IM) conclusively, especially in terms of the broadened set of organizational associations, usecases and Defense applications, and even social issues, attendant to that sprawling field. The“common back-office process,” and related architecture, to support biometrics, as alluded to justabove, is itself a rich field of study that deserves and demands close attention and broadertreatment than we were able to provide here. Another important aspect of the total subject ofIdentity Management is the whole universe of tokens and credentials. There are many of these,in as many different formats and standards as there are applications. Only some of them support,or are used in conjunction with, biometrics. We speak to some extent of the credential standardmandated for use across the federal government, called FIPS-201. Beyond that, however, thislarge and important topic will have to await a broader treatment of the whole of IdentityManagement, and we do recommend that such an effort be undertaken with a fully scopedcharter.What we have sought to do is to examine biometrics carefully, and we have placed those issues,both technological and “organizational,” into the operational context of their use in strengtheningIM processes. There remains, however, much to be done to understand and implement neededchanges in organization, technology, and process before IM can achieve its full potential in theDoD or elsewhere. It is noteworthy that while significant progress is being made, both inside theDoD and across the federal government, to define and implement organizational approaches tobiometrics, these efforts have yet to explicitly embrace the larger scope of IM, systemically. TheTask Force holds that the enhancements to biometrics management we cite here are in the criticalpath to that outcome. However, it should be understood that such improvements in biometricsonly, while necessary, are insufficient to the total need.The Task Force finds that biometrics suffers from a characteristic of many “new” areas oftechnology and application. At the outset, biometrics had (it seems) as many advocates makingunsupportable performance claims as it had detractors decrying its mystery, uncertainty andunacceptability on the basis of historic formulations of governance, privacy, etc. It is also trueDEFENSEBIOMETRICS____________________________________________________________________1CHAPTER1:

EXECUTIVESUMMARY_____________________________________________________

that in biometrics the truth lies between these extreme positions, and for the most part, hasyielded to thoughtful technical analysis and collaborative, inclusive, organizational effort. TheTask Force will make several recommendations designed to advance these two parallel butassociated lines of effort, the technological and the organizational.Identity management, the output of the application of biometrics, and the real issue here, isvitally important to the success of many missions of the Department, and increasingly so. Thisgrowing importance, however, has not been reflected in the attention the Department has paid tothe topic. At the outset of our study, the Department was neither well organized nor properlymotivated for success in identity management, or biometrics. Since then, the Department hassignificantly improved its focus on management of the biometrics mission. Activities andresponsibilities in the larger scope of Identity Management, however, remain broadly distributedacross a number of Defense organizations, and we believe that the Department must embrace thelarger construct. Several factors presage the increasing importance of identity management. Logical Access Control:The inexorable increase in information-based processes andincreasingly critical dependence on the confidentiality, integrity and availability ofinformation demand stringent controls on logical access which, in turn, stressauthentication techniques. Physical Access Control:Increasing terrorist threats to our personnel, facilities andcapabilities demands similarly stringent controls on physical access which too stressesauthentication techniques. Likewise, criminal threats to our resources. Targeting:Our military and intelligence concerns in the Global War on Terrorism havelargely shifted away from nation states and their facilities, and toward individuals.The Task Force found need for clarifying and strengthening, perhaps reassigning, authorities andresponsibilities for the full cast of DoD roles: Principal Staff Assistant (PSA):An empowered, dedicated Assistant Secretary-levelindividual who can provide and/or coordinate effectively the policy, strategic direction,oversight and evaluation; ensure sound programmatics and adequate resources within theDepartment; serve as “functional advocate” for biometrics (and eventually, identitymanagement); and represent the Department in relevant interagency, intergovernmentaland international processes. Joint Staff Advocate:A similarly empowered individual of status who would bedesignated as the primary focal point for staffing and coordination of biometrics issues onthe Joint Staff. Combatant Commander:A designated commander responsible for developing and/orcoordinating the requisite Concepts of Operations (CONOPS), joint experimentation andtraining, and joint and inter-agency doctrine for the military applications of biometrics.2____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

_____________________________________________________CHAPTER1:

EXECUTIVESUMMARY

 Executive Agent:A service, agency or field activity that can support the PSA inimplementing, under PSA authority, Defense-wide programs for acquiring, fielding,sustaining and training, and in some cases operating, the biometric and related systems.The Task Force stopped short of making recommendations about the assignment of theseroles and responsibilities to specific Departmental entities with the exception of the role ofJoint Forces Command in areas related to experimentation, doctrine and training, tactics andprocedures (TTP). It did previously provide a list of obvious candidates with its assessmentof their respective strengths and weaknesses. The Task Force also provided a number ofinterim findings and made several interim “process” recommendations.Among the interim findings which have been substantiated and/or reinforced by subsequentstudy, the Task Force finds: The importance of identity management and the role of biometrics in the Department ofDefense are underappreciated. Identity management and biometrics represent a keyenabler in the Global War on Terrorism, can save lives, are essential to InformationAssurance (which is key to Mission Assurance), and has international implications whereour leadership is in question. The present management structure largely reflects pre-9/11 requirements: a “blue” focusinside DoD, and conceived in the context of information assurance. However,requirements and applications have grown with the emergence of “red” and “gray”requirements, HSPD/NSPD-driven requirements, increased inter-agency and internationalinterests, and the growing importance of forensics on the battlefield. Urgent battlefield needs are not being met. The current “program” appears to lack thenecessary warfighter customer orientation. The current execution appears to beinefficient and opportunities are being missed. Requirements will continue to grow as current business processes scale up, as newapplications come on line, as the adversaries adapt and as new threats emerge. Technology is changing for the better. New technologies must be inserted rapidly. Insome cases, technology will need to be stimulated to meet the most demanding militaryapplications. There appears to be considerable benefit in a Department-wide authority for identitymanagement and biometrics, accountable and responsible for its funding, policy, visionand direction, and sustainment.Irrespective of the specific organizational “who,” the Task Force found that certain actions wereimperative and urged that, without further delay, the Department: Decide who is/will be the ID-Mgmt/Biometrics Principal Staff Assistant (PSA) andupdate the documentation to reflect that reality.DEFENSEBIOMETRICS____________________________________________________________________3CHAPTER1:

EXECUTIVESUMMARY_____________________________________________________

 Designate the PSA for biometrics as a “functional advocate” for biometrics issues withinand across the Global Information Grid (GIG). Formalize and strengthen relationships between the Biometrics Fusion Center (BFC), theDefense Manpower Data Center (DMDC), and all other Defense entities with explicitand/or implicit biometric/identity management roles and/or missions. Decide promptly on a comprehensive (data) architecture for backup and disasterrecovery. Identify and establish central OSD oversight of all Defense-wide Biometrics activitiesimmediately, to include the Armed Forces Joint Identification Laboratory in Rockville,MD, and its DNA repository1. Identify and establish management oversight of all biometrics programmatic activitieswithin a consolidated program of record. Capture (interim) requirements in time tointersect the FY07 PDM; create a Defense-wide Biometric funding program andimmediately put a “wedge” in the FY08 POM. Subsequently, consider a Defense-widefunding program for the larger Identity Management activities, including RDT&E,Procurement, O&M, personnel, and training. Create a permanent manning document for the Biometric Fusion Center (BFC) at/abovecurrent staffing levels; establish joint billets as appropriate, and designate the BFC as“critical infrastructure.” Establish all required identity management CONOPS, doctrine, experimentation, trainingand education programs and processes.We were gratified when, on 4 October 2006, the Deputy Secretary of Defense designated theDirector, Defense Research & Engineering (DDR&E) as the Principal Staff Assistant (PSA) forbiometrics2, with responsibility for the authority, direction, and control of DoD biometricsprograms, initiatives, and technologies. The Army was named in the same document asExecutive Agent, with defined responsibilities under the direction of the PSA. Most of thespecific recommendations contained in the report, then, are aimed at the PSA. These aredistributed throughout the report and recapitulated in the last chapter, categorized according towhether they reflect: internal DoD issues; issues external to DoD; remaining organizationalissues; R&D, materiel and technology issues; information management issues; and/or, legal andprivacy issues.

1We call DNA out here specifically as there is, at present, definitional debate within the US government regardingthe proper “status” of DNA as a “true biometric”. Based on the range of DoD use cases involving DNA, the TaskForce has chosen to define DNA as a “biometric modality,” even while recognizing its unique character.2See Appendix C of this report4____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

_____________________________________________________CHAPTER1:

EXECUTIVESUMMARY

Finally, although the art form of reports such as this often presages key recommendation in theExecutive Summary, we do not. There are simply too many. Instead, we have chosen torecapitulate all the recommendations and their associated conclusions in Chapter 18. These arecharacterized according to the category of the recommendation: Information management andsharing; R&D and technology; Issues external to the Department of Defense; Internal issues;Organizational issues; and Legal and privacy issues. Where the recommendations fall into morethan one category, they are duplicated for convenience and within each category therecommendations are treated in the order of their appearance in the body of the report.DEFENSEBIOMETRICS____________________________________________________________________5CHAPTER1:

EXECUTIVESUMMARY_____________________________________________________

6____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

________________________________________________________CHAPTER

2:

INTRODUCTION

Introduction—Identity Management and BiometricsFrom its inception, this Defense Science Board Task Force on Biometrics understood that its jobwas to examine a topic which was urgent, complex, somewhat new and distinctly open-ended.“Biometrics” was and is seen as an emerging field of growing importance to the Department ofDefense and the nation’s security more broadly. The first and most important finding of theTask Force was that in order to understand the science and applications of biometrics, these mustfirst be placed in context. The Task Force brought a variety of views to bear but there wasunanimity that the “real” topic of discussion was “identity management” rather than simply“biometrics.” Biometric identification supports identity management, which is a key to successin many mission areas in the Department of Defense and in the larger national and homelandsecurity context both in the US and internationally.Identity management is increasingly critical to the success of many missions of the Departmentof Defense, but this growing importance is not reflected in the attention the Department has paidto the topic in the past. The Department of Defense has been neither well organized nor properlymotivated for success in identity management.The recent appointment of the Director of Defense Research and Engineering (DDR&E) to act asthe OSD Principal Staff Assistant (PSA) for biometrics3is a very positive step in this complexprocess. There is much work to be done in biometrics, and the DDR&E, working withorganizations inside and outside the Defense Department, will be busy with it for some time.That said, the Task Force has sought to make the case that biometrics are inseparable from thelarger field of Identity Management (IM), in almost any application or level of treatment otherthan pure science and research. Beyond that, Identity Management is itself linked intrinsically toInformation Assurance (IA), in ways which have been described in some detail in recent DSBreports.Pragmatically, we must conclude that it would be difficult to define, here and now, the properorganizational/technology approach to a universally biometrically-enabled, strongly-identifiedand assured, global information grid. However, that must be the procedural path along which weare looking and thinking, even now. Consequently, we must begin to structure our attention, andincrease our understanding, within that expanded scope of interest.As discussed throughout, the Task Force was clear that no examination of biometrics could failto consider Identity Management (IM). However, it was just as clear to us that we did not havethe time or resources to study the full scope of IM comprehensively, and that remains anunfulfilled need to be accomplished in the proper time and way.In any very small group there is no need for identity management. However, wheneverpopulations become more numerous, especially if they are not always or ever in physical contact

3Deputy Secretary of Defense memo dated 4 October 2006 -- See Appendix C. The same document defined therole of the Army as Executive AgentDEFENSEBIOMETRICS____________________________________________________________________7

CHAPTER2:

INTRODUCTION__________________________________________________________with each other, distinguishing among individuals becomes steadily more important. In nationalsecurity matters, as friend/foe distinctions such as clothing (uniforms) diminish in incidence andusefulness, this point is underlined. Differentiation based on sight, sound and smell provided theearliest distinctions, and the data management was initially based on “full path names”—i.e., the“begats”.Today, identity management is more important than ever. Names carry less information todayand are less unique, but biometrics have improved markedly as have our data managementcapabilities. Both are far from perfect, however, and set the agenda for our task force, as did theset of DoD missions that depend on identity management and therefore on biometrics.To reiterate, biometrics is but a means to an end, while identification is the goal. Indeed, tryingto define “biometric” in the current context is next to impossible without invoking the idea ofidentity, identity management, and/or identity management system.An identity management system, here, is meant to include both algorithms, their instantiation insoftware/hardware, as well as data. The data are an organized collection of information aboutspecific individuals. Indeed, when we ask “who are you,” we are really asking “what are you” -e.g., friend or felon?It is easiest to think of an identity database as a relational database, rows and columns, where therows (“entities” or “records”) are individuals, where the columns (or “attributes”) arecharacteristics or categories of information about individuals, and where the columnar entries (orfields) represent the particulars for that individual. Certain of the attributes serve principally to“identify” you, that is, to allow one to query (or “index into”) the database and retrieve some orall of your record. Among traditional “identifiers” are name and social security number (SSN).Names may be our first impulse, but they are notoriously ambiguous and generally notsufficiently unique. SSN is more unique. All of these variables, however, suffer from theproblem that they can be compromised relatively easily - bought, stolen, or invented. Thus, theyare increasingly insufficient, by themselves, for identification. That brings us to biometrics.The National Science and Technology Council (NSTC) subcommittee on biometrics definesbiometrics as:A measurable biological (anatomical and physiological) and/or behavioralcharacteristic that can be used for automated recognition.Their use of the qualifier “automated” reflects the practical utility of actual biometric systems,which otherwise would be generally inefficient and ineffective because of theuncontrolled/unknown error rates and biases that humans introduce. Read “recognition,” per thepreceding discussion, as the ability to retrieve with high confidence the identity record of theindividual, i.e., to index into an identity database. Their definition accords well with standarddictionary usage:The term biometric is the name given a technology that is the measurement of aliving, human characteristic. This process includes the ability to measure8____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

________________________________________________________CHAPTER

2:

INTRODUCTION

characteristics such as fingerprints, voice recordings, irises, heat patterns,keystroke rhythms, and facial images; comparing a person's uniquecharacteristics against previously enrolled images for the purpose of recognition.The unique pattern of a physical feature such as a fingerprint, iris, or voice asrecorded in a database for future attempts to determine or recognize a person'sidentity when these features are detected by a reading device.Identity vs. “Collateral Data”It is useful to separate conceptually the “identity” and those “collateral data” which are pointedto by the identity, or which point to the identity. In one case, the identity is used to reference orretrieve or “index into” collateral data. In the second case, items of biographic data may simplybe an explicit “back-pointer” or it may be implicit, i.e., inferred from sufficiently unique items ofbiographic or privilege data.4

Furthermore, it is useful to conceptually separate the “biographic” from the “privilege” data.Biographic information, including established “roles” for the individual, provides the basis forthe need and/or “suitability” decisions to confer a right or a privilege. Privilege informationincludes a description of the privilege granted and, perhaps, pointers to the biographicinformation on which the decision was based. Some form of “back chain” from the basis-information to the privilege would support dynamic reconsideration of the privilege by thegrantor when basis information changes, which would otherwise require (frequent) periodicpolling. The relationship of “identity” to “privileges,” including the management processesrelated to both is an important one.Collateral information also includes physiological data, those items of information common toall individual humans. We all were born at a time and in a place; we all have height, weight, hairand eye color, etc. Many of these characteristics are commonly used to “recognize” anindividual, i.e., to confirm an identity. Some, like fingerprints or DNA, are sufficiently uniqueand durable/unchanging to support strongly fixing an identity. It is these that we refer to asbiometrics.It is also important to define “identity.” Strictly speaking “identity” is the “unit of analysis” (orrecord or row) in an identity management system. A particular identity is a particular recordwhich (in a well-ordered system) has a unique “accession number,” which one also might thinkof as “the identity.” When associated with individual humans in a system, the concept of “rootidentity” emerges, as discussed below.

4The bane of the privacy community is the ability to follow the logical threads using these pointers, which willdisclose a lot of “peripheral” information from one or a few pieces of information. This is particularly troublesomewhen, in the eye of the individual, the peripheral information is not seen as germane to the legitimate purpose ofconferring a right or a privilege. The more complete (and organized) the totality of the ensemble of information, themore inferential threads that can be pulled, and the more worrisome the process is to privacy advocates.DEFENSEBIOMETRICS____________________________________________________________________9

CHAPTER2:

INTRODUCTION__________________________________________________________Identity AssuranceDigital identities have become critical in both civilian and federal enterprises. They represent ahigh assurance level that the identity of a person has been adjudicated by an enterprise or agencyaccording to policy and therefore maintain a certain status of reliability. However, as with mostattempts to create interoperability’s between organizations, there is the reality that individualorganizations or agencies will not trust the credentials issued by other organizations or agencies.It is generally true at present that there is no surety that the standards are common between themand therefore might not meet their standards. The effort to achieve cross-organizationalmanagement confidence, in root identity and authorities, is the stuff of Privilege Management,which we will discuss later.HSPD-125and its related technical standard, FIPS 2016is one example of many sets ofinitiatives to improve Identity Assurance. From our point of view, it is by far the mostimportant, as it is mandatory across the entire federal executive enterprise. HSPD-12specifically addresses the federal government and extends explicitly to certain commercialentities (federal contractors). It has been extended implicitly to state, local and tribalgovernments within the United States, in the form of assuring access to, and interoperabilitywithin, certain federal programs. The FIPS-201 technical standard developed under authority ofHSPD-12 has been adapted in other current programs with even broader scope, such as theTransportation Worker Identification Credential (TWIC), and the First Responder Access Card(FRAC). We expect this trend to continue.ted prior to issuance to ensure theapplicant’s eligibility and uniqueness within the database.An Identity Management “System”

The FIPS-201 standard is a smart card based on common criteria to verify an individual’sidentity; is strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitations;allows for personal identity to be rapidly verified electronically if visiting other facilities; andcomes from a controlled set of issuers to assure quality and standards. The whole process ismade more rigorous by the background checks conducThe real meat of a modern Identity Management system is not the front end, badges, tokens,and/or biometrics, but the information system in which they operate, the “IT backplane”. Thisrecognition represents a change in the attitude of program sponsors and the user population.Complex/expensive tokens (e.g. Smart Card) are useful and prescribed in many applications but,

5Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for FederalEmployees and Contractors requires government-wide uniformity and interoperability to support technicalinteroperability among departments and agencies, including card elements, system interfaces, and security controlsrequired to securely store and retrieve data from the card.6

Federal Information Processing Standard (FIPS 201) for Personal Identity Verification (PIV) of FederalEmployees and Contractors: This standard specifies the architecture and technical requirements for a commonidentification standard for Federal employees and

contractors. The overall goal is to achieve appropriate securityassurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physicalaccess to Federally controlled government facilities and electronic access to government information systems.10____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

________________________________________________________CHAPTER

2:

INTRODUCTION

if limited to local operation, are often impractical in situations where DoD seeks an ID solution.The geographic and organizational scope, plus the growth in size of enrollee populations, hasmade it clear that modern networked IT solutions offer the best hope of achieving missionsuccess. The centralization in design, development, management and operation that usuallyaccompanies networked systems provides economies of scale and allows us to amortize costsover a larger set of uses. It also is associated with improvements in interoperability.eyond thescope of this report, but it remains an important issue within that larger field of study.h, and delete digitalidentities based on policy and accepted practice.

Focusing for a moment on tokens and credentials, it is clear that there are currently many ofthese in important roles. Some of them, hopefully the best, almost certainly the most expensive,use biometrics either “on-card” or in conjunction with stored indices. A complete review oftokens and credentials, and their role within a total Identity Management system, is bIdentity Management is a set of processes, policies, tools, connectivities, and social contractsprotecting the creation, maintenance, use and termination of an identity. Figure 1 shows asimplified data flow diagram depicting the creation of a Digital Identity Record in a traditionalenterprise environment. Not all processes are the same and all will vary. It is here that decisionmakers and stakeholders, with the proper authority, can modify, searc

Figure 1: The Creation of a Digital IdentityDEFENSEBIOMETRICS____________________________________________________________________11

CHAPTER2:

INTRODUCTION__________________________________________________________Historically, the Department of Defense has had a number of different Identity Management“systems” of both large and small scale. Only very recently, with the advent of Presidentialpolicy in the form of HSPD-12, has the federal government, and as such the DefenseDepartment, moved toward a single, common and interoperable technology and policy approachto “Identity.” The technological particulars of the design, implementation and operation of anysuch system, of course, depend on: The purpose of the system: What problem or problems is it attempting to address?What DoD/USG missions does it seek to enable? The population subtended by the system, and the way the identities of these individualswould be authenticated. The scope of the data, both “identifiers” and “collateral” data that would be gatheredabout individuals in support of “issuing an ID” - figuratively, i.e., enrolling them inthe system; and, literally, i.e., issuing a token - and the way that identity would becorrelated with (mapped to) data about the individual in any databases associated withthe system. The users of the system, those who would be issued an ID, Department and OGA officersand, perhaps, non-federal authorities including the private sector. The types of use allowed, and under what circumstances: What types of databasequeries about individuals would be permitted? Required “interoperability” with other databases. The ability to retrieve informationand make inferences across multiple datasets.− The Task Force notes this important question appears to have beenhonored more in the breach than the observance as systems were fieldedexpediently in support of the warfighter. Degree to which data mining or analysis of the information collected would bepermitted. Who would be allowed to do such analysis? For what purposes? Degree to which enrollment in and/or identification by the system (even if theindividual had not formally been enrolled) would be mandatory or voluntary. Legal structures that protect the system’s integrity as well as the ID holder’s privacyand due process rights: What structures determine the government and relying parties’liability for system misuse or failure?Of all these features and considerations, HSPD-12 provides only the most basic, but this is thefoundation upon which all else can be built. Put another way, absent the HSPD-12 foundation,all such effort would represent a house built on sand. As such, it defines the space within whichremaining policy, technical, and organizational efforts are still required.12____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

________________________________________________________CHAPTER

2:

INTRODUCTION

As has been pointed out,7implicit in the totality of these considerations is the notion of a“system” and not merely an ID card or biometric. The importance of the fact that identitymanagement necessarily implies a “system” cannot be overstated. Such systems, at the scalethat they would operate in the Department, necessarily imply the linking together of manysocial, legal, and technological components in complex and interdependent ways. The successor failure of such a system is dependent not just on the individual components (for example, theID cards that are used or the biometric readers put in place) but on the ways they work, or do notwork, together. For example: Are card enrollment/authentication devices located where they need to be? How well dothe devices operate under various environmental and load scenarios? Who will operate the systems and how will they be trained and vetted? Do enrollment policies align with the security needs envisioned for the system? And soon.How well these interdependencies are controlled along with the mitigation of securityvulnerabilities and the unintended consequences of the deployment of a system, will be criticalfactors in its overall effectiveness.In addition to the questions above, the reference outlines several cautions to bear in mind whenconsidering the deployment of a large-scale identity system: Given the costs, design challenges, and risks to security and privacy, there should bebroad agreement in advance on what problem or problems the system would address. The goals of the system should be clearly and publicly identified and agreed upon,with input sought from all stakeholders. Care must be taken to explore completely the potential ramifications of deploying a large-scale identity system, because the costs of fixing, redesigning, or even abandoning asystem after broad deployment would likely be extremely high.

7IDs—Not That Easy: Questions About Nationwide Identity Systems, Statement of Stephen T. Kent Vice Presidentand Chief Scientist, Information Security BBN Technologies and Chairman Committee on AuthenticationTechnologies and Their Privacy Implications National Research Council The National Academies before theSubcommittee on Social Security Committee on Ways and Means U.S. House of Representatives March 16, 2006DEFENSEBIOMETRICS____________________________________________________________________13

CHAPTER2:

INTRODUCTION__________________________________________________________Identity ProcessesThe Identity Process is one of the most interesting and technologically challenging parts of theIdentity Protection environment because of the complexities of how we do business. There areseveral separate and discreet parts to this process. They include:Identity– Who you are8

Authentication– The process which states that your identity and the activities that havebeen evaluated in your past meet the policy and integrity standards to be certified as amember of that organization or agency.Assertion— The process of claiming an identity in order to obtain a privilege, or set ofprivileges, previously established for that identity.Authorization– The act of granting a person permission to use, or have access to, specificphysical or logical resources within that organization or agency.In the world of Identity Protection there is a statement that rings true, and is an important point toremember when describing the Identity Process:Identity / Authentication is a Universal Event, Authorization is a Local Event.Translated, that means that you are, or should, always be the same person9. That is universal.However, you often have many different tasks and responsibilities that are unique to you, andwhich may be confined to specific situations or differing organizations/agencies. It is quitepossible, or even probable that you might have differing permission sets assigned to youdepending on where you are accessing either physical or logical assets. There is technology forthe Identity Process to directly address that in a very granular and secure fashion. It allowspermission sets to be created, modified, and deleted quickly and efficiently based on policy, law,social convention, and security requirements.The “Root” IdentityAuthenticated root Identities are needed to make ID-enabled applications work. One can onlyget to the payback at the application layer of an Identity Management system after havingundertaken the cost and effort of establishing verifiably-unique root identity enrollment. Thisidentity must be “transportable” over time and distance, in terms that benefit both the enrolleeand sponsor. The enrollee must be able to convincingly assert his true ID to access resources oravoid sanctions. This aspect of the total IM strategy, the creation of root Identity to a strong andcommon standard, is the focal point of the prescriptive provisions of HSPD-12.

8An important distinction here is the difference between “true identity,” a unique, provable, fact, for which the onlyreal proofs are biometric in nature; and a “persona” that one may adopt as being appropriate to some kind ofidentity-sensitive activity, such as sending e-mail or conducting an online auction. The easy distinction is that anIdentity is an irreducible core fact, while a Persona, if it to be trusted, should have recourse to a true or “root ID,”whether or not that is visible to all parties, all the time.9The converse, of course, is that nobody else can be “you”.14____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

________________________________________________________CHAPTER

2:

INTRODUCTION

The Role of BiometricsThere are numerous ID-sensitive applications extant today, especially in commercial practice,very many of which do not have an architectural/policy relationship to a true root identity. Thecontribution of biometric processes to the total ID enterprise is the offer of high assurance ofuniqueness in initial registration, and added confidence to ID assertion in application. As such,while it is certainly possible to engage in ID-sensitive activities without biometrics, there can beno truly accurate Identity Management system without biometrics. In order to achieve, verify,and sustain that root identity, it is absolutely necessary to link the “legend,” biographicinformation claimed by an enrollee (name, date/place of birth, address, etc), to the person makingthe claims at the bodily level. The emergence of this understanding has paced the growing roleof IT networks in IM, as discussed above. Biometrics are difficult to verify in their originalform, but they all lend themselves to codification, analysis and expression as IT files. Here theearlier point about social acceptance returns to the discussion. Public acceptance of biometricshas grown cautiously over time. Leading thinkers in the IM community have now been fieldingapplications that demonstrate and deliver real and practical benefits to consumers and managers,based on biometrics. At the same time, the subject of biometrics is being gradually demystified,even as the underlying science is more richly and broadly understood. Consequently, biometricsperformance issues are being approached and examined more pragmatically, with fewer inflatedexpectations, and less unreasoning skepticism.The maturation and availability of biometric capabilities within the Identity Managementprocesses has added significantly to the power and reliability of Identity. Biometric technologyinvolves the capture and storage of a distinctive, measurable characteristic, feature, or trait of anindividual for subsequently recognizing that individual by automated means. The biological traitis unique to a specific person that, when intrinsically linked to the Identity Management process,creates an extraordinarily strong link between the identity credential, or token that is presented,and the person who has it in their possession.The Identification TrinityIn the strongest identity formulation, we refer to “three factor authentication”: something youknow, something you have, and something you “are.”Something You KnowThis includes passwords, PINs, pass-phrases, and answers to authentication questions such as thename of your first pet or car, your mother’s maiden name, or other personally meaningfulassociation. In the best case, such information is known only to you and “the system.”A selling point for such secrets as authenticators is that they are easily issued, invalidated in theevent of compromise, and reissued upon authorized request. The down side is that, historically,they are readily compromised. Insofar as they tend to be meaningful to you, someone whoknows you may know the secret or be able to guess the password or phrase. The more generallymeaningful they are, the more susceptible to brute force “dictionary” attacks.DEFENSEBIOMETRICS____________________________________________________________________15

CHAPTER2:

INTRODUCTION__________________________________________________________Attempts to strengthen the secret “key” generally make them less individually meaningful,harder to remember, easier to forget. The general response is to write them down somewhere,another avenue to compromise.Because different systems issue/register their own secret identifiers, coupled with the drive tomake them less easily compromised i.e., less meaningful, the response for those who must accessmultiple facilities/systems is to use the same secret on more than one system. This means thatany compromise propagates across those systems. It also opens the door to an “attractant”system obtaining your secret as you register in that system unaware of its nefarious purpose.For these and other reasons, multi-factor identification is preferred for serious security.Something You HaveNo matter how pervasive today’s digital technology, everyone has considerable experience withphysical identity tokens, mainly social security cards10, driver’s license, passport, birth and/orbaptismal certificate, employment-related badges, etc. Some of these tokens are oftenmistakenly referred to as “ID cards” but are, to a certain extent, vehicles for conveying“privilege.” They are generally the property of, and/or controlled by the privilege grantor.We have discussed HSPD-12, and its role in establishing strong root identity, its other majorprovision is the establishment of a common-format ID credential, which has become a technicalstandard known as FIPS-201. The DoD Common Access Card (CAC), which predates FIPS-201, has since migrated to a compliant standard. Some physical tokens may also contain digitalcertificates, crypto variables, and encoded biometric indices.The Department of Defense has invested prestige and resources in its Common Access Card(CAC), sometimes referred to as CAC-card (sic) The fundamental goal of using the CommonAccess Card is to authenticate the identity of the cardholder (uniformed military, civilian DoDpersonnel and contractors) to a system or person that is controlling access to a protected resourceor facility. This end goal may be reached by various combinations of one or more of thefollowing validation steps.Card Validation- The process of verifying that a CAC is authentic and has not been subjectedto tampering or alteration. Card validation mechanisms include: Visual inspection of the tamper-proofing and tamper-resistant features of the CAC; Use of cryptographic challenge-response schemes with symmetric keys; Use of asymmetric authentication schemes to validate private keys embedded within theCAC.

10Never really intended to be an identity token or credential in the modern sense, it has no anti-tamper or IDauthentication, as expressly stated on the card: “not to be used for identification purposes.”16____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

________________________________________________________CHAPTER

2:

INTRODUCTION

Credential Validation- The process of verifying the various types of credentials (such asvisual credentials, CHUID11, biometrics, CAC keys and certificates) held by the CAC.Credential validation mechanisms include: Visual inspection of CAC visual elements (such as the photo, the printed name, and rank,if present); Verification of certificates on the CAC; Verification of signatures on the CAC biometrics and the CHUID; Checking the expiration date; Checking the revocation status of the credentials on the CAC.Cardholder Validation- The process of establishing that the CAC is in the possession of theindividual who is the legitimate holder of the card. Classically, identity authentication isachieved using one or more of these factors: a) something you have, b) something you know, andc) something you are. The assurance of the authentication process increases with the number offactors used. In the case of the CAC, these three factors translate as follows: a) something youhave - possession of a CAC, b) something you know - knowledge of the PIN, and c) somethingyou are - the visual characteristics of the cardholder, and the live fingerprint samples provided bythe cardholder. Thus, mechanisms for CAC cardholder validation include: Presentation of a CAC by the cardholder; Matching the visual characteristics of the cardholder with the photo on the CAC; Matching the PIN provided with the PIN on the CAC; Matching the live fingerprint samples provided by the cardholder with the biometricinformation on file at the Defense Manpower Data Center (DMDC).Something You “Are”—Biometric IndicesBiometrics are physiological features, fingerprint or iris pattern, that can be sensed easily by thesystem and are sufficiently unique to distinguish you from others in the population. Yourbiometrics are not something you have to remember and might forget, so you don’t need to writethem down. Biometrics indices are generally harder to compromise than other authenticationfactors, so biometric-based identification is harder to repudiate.In the previous discussion of the Common Access Card, biometrics are part of the multi-factorprocess in validating both the credential and the credential holder.

INTRODUCTION__________________________________________________________Biometric Authentication ModelThe workflow for biometric authentication involves a two-stage process, as depicted in Figure 2below: Initial registration of the individual, preferably “face-to-face,” which, in turn, involves:o User identificationo Feature captureo Template constructiono Inserting a record in the database which, logically, contains at least an accessionnumber, and the user identification User authentication, which may be local or remote, and involves:o Identity assertiono Feature captureo Retrieval of the registration template from the asserted-identity recordo Scoring against the registration template

Data Management IssuesIt’s not really who you are, it’s what you are. Identity management systems inherently contain,store and manage, sometimes very dynamically, masses of data. These range from rawbiometrics, to templated versions of the same, to associated biographic information. Associatedprivilege information may be involved, and also perhaps digital signatures, certificates and otherarchitectural and security features. Establishing a good data architecture is essential to effectiveidentity management. Being able to retrieve related data and cross reference across relevant datasets is really the point of it all.Observation: The Department of Defense does not appear to have a comprehensive dataarchitecture for identity management in its various aspects, nor does it appear to have anyoneresponsible for creating and maintaining such an architecture. This is especially importantbecause the various relevant data sets across which one might wish to operate (i.e., crossreference) are scattered and under “local” control. Indeed, many of the relevant datasets areoutside the Department itself. It is very difficult at present, and institutionally resisted to at leastsome extent, to recognize and accept credentials issued by other federal agencies. The “fix” forthis suboptimal situation is broadly embraced within “Privilege Management” concepts,discussed in detail later in this report.Recommendation1: The PSA for Biometrics, in the absence of a PSA for identitymanagement, should identify the responsible actor in the Department and ensure that a datamodel/architecture is developed and maintained. The PSA should become the “functionaladvocate” for biometrics and identity management, in terms of their use in the GlobalInformation Grid (GIG).DEFENSEBIOMETRICS____________________________________________________________________19

CHAPTER3:

DATAMANAGEMENTISSUES_________________________________________________

20____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

_____________________________________CHAPTER4:

THEPOWER OFID

SENSITIVEAPPLICATIONS

The Power of ID-Sensitive ApplicationsThe value of any Identity Management system exists in the Applications. Simple ID enrollment,in and of itself, never pays off in terms of a demonstrated, measurable and attractive “return oninvestment”. The processes of establishing programs, gathering and maintaining data,conducting investigations to verify enrollee claims, and issuing badges, all represent costs, andall are fronted-loaded within an Identity Management implementation. No matter how youmeasure it, the value is found in the practical use of the Identity Management system. Theseapplications include a broad and ever-expanding range of enhancements to personnel andinformation security, force protection, intelligence and other important missions. The good newsfor the DoD is that given all historic effort in developing and fielding the CAC, not to mentionHSPD-12, there is already a sunk-cost investment in the necessary foundation upon which anapplications architecture can be built.It is possible to envision an expanding set of ID-sensitive applications in work andsociety, collectively comprising what one author has termed an “Identiverse,” withinwhich security and functionality are enhanced, privacy as well, if designed and managedproperly. Benefits may take the form of increased efficiency in workflow, access toresources, convenience, etc.

The “Back Office” ProcessMuch of the focus in the application of biometrics in support of identity management is vested inthe “front end” or “point of sale.” The lance corporal who fingerprints, and thereby identifies a “high value target,” or hiscounterpart police officer on the beat who nabs and identifies one of the “ten mostwanted” or; The guard at the turnstile of a sensitive facility who prevents the would-be terrorist fromentering the facility under false pretenses or the immigration control officer ortransportation safety worker who identifies a known terrorist.However, the real work is being done by the servers in the back office that maintain, compareand retrieve the relevant data on which action can be taken. In Figure 3, the work flow is shownfor the Integrated Automated Fingerprint Identification System (IAFIS) run by the FBI’sCriminal Justice Information Services Division (CJIS)12.

Figure 3: IAFIS Workflow

12See Glossary for long titles and definitions used in this model.DEFENSEBIOMETRICS____________________________________________________________________23

CHAPTER5:

THE“BACKOFFICE”

PROCESS_______________________________________________In the DoD cases, the work flow is more complicated still because there is a diaspora of datasetsthat could inform the actions, some of which are under disparate management within theDepartment, and some outside the Department, as well. As we observe elsewhere the datamodels/architectures for the identity management system are critical, as are the hardware andsoftware systems architectures in which the data are embedded. Moreover, for most criticalbiometric-enabled processes today, there are humans in the loop responsible for qualityassurance.Observation: Enterprise-wide systems analysis has not yet been brought to bear on the identity-management processes that support DoD missions. The business and work-flow processes areneither documented nor fully understood, it seems, and it is not clear where the accountability forthese lies.Recommendation2: The PSA for biometrics, in lieu of a PSA for identity management, shouldassign the accountability for analyzing, documenting, and refining the business and work-flowprocesses and systems architecture(s).24____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

______________________________________________________CHAPTER6:

BIOMETRICINDICES

Biometric IndicesBiometric indices have unique characteristics. Different applications of biometrics, different“use cases” or scenarios, place different demands on the biometric indices. Some biometrics arebetter suited than others to a specific use case. Figure 4 suggests a relevant set of attributes bywhich the suitability of the array of biometric indices might be judged.

Figure 4: Biometric CharacteristicsIn the table at Appendix O, Biometric Modalities Matrix, we evaluate a relevant subset ofpossible biometric indices against a set of appropriate attributes according to our understandingof their state of maturity as of this writing13. Some of these modalities that are of most relevanceto DoD activities are discussed in further detail in the following sections.Facial Recognition14

Facial recognition is clearly something that humans rely on daily, yet experience tells us thateither we are not perfect at it, or faces/facial features are not all that unique. Both are likely true,and until recently, humans were about as good at facial recognition as computers,

13. It is important to note that there are a number of such short-form analyses extant, and all of these are somewhatdifferent in format and/or content. The Task Force drew from existing work, personal knowledge and experience toderive the issues deemed to be of greatest relevance to the DoD, as reflected in the format here. See, inter alia,www.biometrics.gov/referenceroom/introduction.aspx; also www.biometrics.gov/docs/biooverview.pdf

14Additional information about face recognition technology can be found at www.biometrics.gov//docs/facerec.pdfDEFENSEBIOMETRICS____________________________________________________________________25

CHAPTER6:

BIOMETRICINDICES________________________________________________________Facial recognition is vulnerable to disguise. Everyday experience suggests that if we are tryingto avoid recognition, disguise can be moderately effective, but if we are trying to impersonatesomeone else, disguise is likely to be somewhat less effective. Notwithstanding, it is aconvenient biometric because it is one of the few that is both “machine-readable” and “human-readable” so it is generally used for identification cards and badges, although it should generallybe used in combination with other biometrics, i.e., multi-modal. The ubiquity of surveillancecameras means that, in a sense, a face can leave a trace and therefore be useful forensically, asare DNA and fingerprints. As the resolution and other performance characteristics of theseimprove, Facial Recognition (FR) will become increasingly viable as a reliable identificationtool.Obviously, FR is also attractive from the standpoint of the opportunity it represents to detect,verify and track at some distance. It is not alone in this attribute, and performance is not yetoptimal, but we may highlight this aspect of FR as an important avenue of future research effort.(See chapter 12).Man Against MachineHumans are not used to matching fingerprints, or DNA, but we do have a lot of practicalexperience at recognizing and recalling human faces15. How good are we compared to thecurrent state of computer facial recognition?Recent research, sponsored by several interested federal organizations16, suggests that we are notall that bad at it. Or, said differently, computers aren’t all that much better. Figure 5 maps theprobability of a correct recognition against the probability of a false acceptance in identitymatching of “difficult face pairs.”17While there were two or three machine algorithms thatsurpassed the performance of the humans, we humans did quite well, and managed to beat outthe majority of the machine algorithms. In this same paper, most face systems easily beat humanperformance on “easy face pairs.”

15Studies have shown that individuals are good at recognizing faces they are familiar with (family, friends,celebrities, etc.), but not so good with unfamiliar faces. Individuals also tend to be better at distinguishing faceswithin ethnic groups that they have the most contact with (someone that doesn’t personally know someone from aparticular ethnic group will have difficulty distinguishing faces from that ethnic group).16Federal Bureau of Investigation, National Institutes of Justice, Department of Homeland Security and theTechnical Support Working Group.17Alice J. O’Toole, The University of Texas at Dallas, Human vs. Machine Performance, research sponsored by theTSWG, USG.26____________________________________________

DEFENSESCIENCEBOARDTASKFORCE ON

______________________________________________________CHAPTER6:

BIOMETRICINDICES

Figure 5: Facial Matching Performance CurvesOf course, the computer is significantly faster, but the same research did show that humansaren’t all that slow; our performance did not improve if we took longer than two seconds tocontemplate the faces. Human performance did decline noticeably if the faces were only shownfor a half second or less. Ultimately, though, computers will be increasingly fast and powerful,increasingly small and inexpensive, and have access to ever-improving matching algorithms. Inthe Task Force’s view, this is the key insight: At the same time, collection devices (cameras)will also increase in ubiquity and performance. Taken together, these conditions are expected tolead to strong advances in the prevalence and performance of automated FR applications. Theemergence and refinement of “3D imaging,” as discussed later, will only serve to accelerate thistrend. The “Rubicon” will be the acceptance of FR, given these enhancements, as anoperationally-practical modality for accurate, high-volume and high-speed search, which it is nottoday.DEFENSEBIOMETRICS____________________________________________________________________27

Fingerprint Identification is the method of identification using the impressions made by theminute ridge formations or patterns found on the fingertips. One can hardly be unaware of thefact that criminal Identification by means of fingerprints is one of the most potent factors inapprehending fugitives.According to the FBI, no two persons have exactly the same arrangement of ridge patterns, andthe patterns of any one individual remain unchanged throughout life, in which case, fingerprintsoffer an infallible means of personal identification.Fingerprints can be recorded on a standard fingerprint card or can be recorded digitally19andtransmitted electronically to an authoritative service provider such as the Biometrics Fusion